The URL can be used to link to this page

Home My WebLink AboutMemo - Mail Packet - 2/16/2021 - Memorandum From Lisa Rosintoski Re: 2020 Annual Report: Fort Collins Utilities Program To Detect, Prevent And Mitigate Identity Theft Utilities electric ·stormwater ·wastewater ·water 222 Laporte Ave. PO Box 580 Fort Collins, CO 80522-0580 970.212.2900 V/TDD: 711 utilities@fcgov.com fcgov.com/utilities MEMORANDUM DATE: February 2, 2021 TO: Mayor Troxell and City Councilmembers FROM: Lisa Rosintoski, Utilities Deputy Director, Customer Connections Privacy Committee Senior Management Representative THROUGH: Darin Atteberry, City Manager Theresa Connor, Interim Utilities Executive Director RE: 2020 Mitigate Identity Theft -102. Bottom Line: In 2020, there were no reports of identity theft. The following incidents were documented and required follow-up that verified there were no Red-Flags compliance issues from a customer: On one occasion, a customer received four other customers bills along with their own as they were processed by the vendor. Accounts were noted, and bills were re-mailed correctly. The vendor took responsibility. No identify theft incidents from customers were reported to Utilities. On three occasions, bills were mailed to the incorrect address by the post office. Accounts were noted and bills were resent. Customers were reminded to not open mail that is not addressed to them. No identify theft incidents from customers were reported to Utilities. On nine occasions, a Customer Service Representative (CSR) emailed account information to the incorrect email address. CSR put notes into the impacted account in the event there was an issue. No incidents were reported from the customers. On one occasion, the customer did not update their contact information. Billing information was sent to the wrong residential address. CSR obtained updated contact information from customer and updated the system. No incident was reported from the customer. On one occasion, the owner changed the billing address of the tenant. The bill was received by the property owner as opposed to the tenant. The owner was notified that only the tenant can update the billing address. The CSR was reminded that only the verified person on the account can make changes. No incident was reported by the customer. Background The Utilities Privacy Committee is required to submit this report to its governing body by the Red Flags Rules, federal regulations effective as of December 31, 2010. The rules were promulgated as required by the Fair and Accurate Credit Transactions (FACT) Act of 2003 (Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 115). Resolution 2008-102 requires the annual update to include the following information: The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk existing covered accounts. As define offered or maintained primarily for personal, family, or household purposes, that involve multiple payments or transactions; and any other account offered or maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the utility from The effectiveness of the policies and procedures of Fort Collins Utilities in addressing the risk of identity theft in connection with service provider agreements: Recommendations for material changes to the Program. Fort Collins Utilities has taken numerous steps to detect, prevent and mitigate identity theft in relation to covered accounts, and it continues to fine-tune its business practices as they relate to identity theft. In 2020, Utilities: Compliance Specialist Position: Continued to support the Compliance Specialist position. This individual is responsible to ensure adherence with regulatory requirements to prevent violations of data and privacy laws. Additionally, the employee is responsible for overseeing the implementation, maintenance of, and adherence to policies and procedures covering the access, use and handling of customer information. Followed Identity Theft Policies & Procedures: Detailed policies and procedures were updated in 2019 and maintained in 2020, which consisted of: o Inclusion of the Federal Law 47 U.S.C. § 222 for telecommunications carriers which prevents unauthorized disclosure of Customer Proprietary Network Information (CPNI); o Verifying identity when handling customer accounts. o Administering agreements with service providers who have access to data; and o . Continued Video and In-Person Training: Utilities requires annual interactive e-learning staff training on the Red Flags Rules and the Provided Mandatory NINJIO Video training: NINJIO videos offer cybersecurity awareness training via engaging learning videos. IT assigns a monthly NINJIO video to all Utilities staff to empower employees to become aware of cyberthreats. Completion of training is tied to system access. This service will be replaced with another service in 2021, but these type of staff trainings will continue. Training Adherence: Procedures are in place to ensure that all Utilities staff have obtained required training. Collaborated on Cybersecurity: Utilities continues to collaborate with applicable City staff and Platte River P meets or exceeds all applicable security requirements and best practices. Evaluated (defined as patterns, practices, or specific activities that indicate the possible existence of identity theft) are evaluated regularly to determine the need for business process improvements. The Privacy Committee is unaware of any significant incidents of identity theft since the plan was approved in October 2008 and has no recommendations for substantial material changes to the program at this time. In 2020, Utilities continues to ensure adherence with these policies and all regulatory requirements to detect, prevent and mitigate identity theft. CC: Cyril Vidergar, Senior Attorney Carrie Daggett, City Attorney Jen Barna, Sr Analyst, IT Security Tammi Pusheck, Sr Analyst, Administration (City Privacy and Records Manager)